> Like many educational institutions we get "educational certificates" that are chain certificates..
>
> With apache the full certificate chain is working as expected..
>
> For elog I copied the appropriate files to server.crt and server.key
>
> Netscape 3 is happy with that setup, Internet Explorer and Opera are mentioning the open certificate chain.
>
> When I tried to copy the file known as SSLCACertificateFile in Apache to chain.crt elogd does not longer work
and
>
> openssl s_client -showcerts -connect <myserver>:<elogd_port>
>
> only shows:
>
> CONNECTED(00000003)
> 25523:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562:
To be honest I'm not an expert on SSL. I just use following code inside ELOG to initialize the SSL connection:
SSL_CTX *init_ssl(void)
{
char str[256];
SSL_METHOD *meth;
SSL_CTX *ctx;
SSL_library_init();
SSL_load_error_strings();
meth = SSLv23_method();
ctx = SSL_CTX_new(meth);
strlcpy(str, resource_dir, sizeof(str));
strlcat(str, "ssl/server.crt", sizeof(str));
if (!file_exist(str)) {
eprintf("Cerificate file \"%s\" not found, aborting\n", str);
return NULL;
}
if (SSL_CTX_use_certificate_file(ctx, str, SSL_FILETYPE_PEM) < 0)
return NULL;
strlcpy(str, resource_dir, sizeof(str));
strlcat(str, "ssl/server.key", sizeof(str));
if (!file_exist(str)) {
eprintf("Key file \"%s\" not found, aborting\n", str);
return NULL;
}
if (SSL_CTX_use_PrivateKey_file(ctx, str, SSL_FILETYPE_PEM) < 0)
return NULL;
if (SSL_CTX_check_private_key(ctx) < 0)
return NULL;
strlcpy(str, resource_dir, sizeof(str));
strlcat(str, "ssl/chain.crt", sizeof(str));
if (file_exist(str))
SSL_CTX_use_certificate_chain_file(ctx, str);
return ctx;
}
Maybe I need something different for chain certificates, but I don't know. I just copied these calls from the
example which comes with the libssl library which I'm using. Maybe somebody has an idea how this could be
improved. Actually looking at the code I see that the 'chain.crt' file is used. If you send me your files
privately I could try them and see if I get a specific error code from the SSL library. |